General
-
Target
my_attach_p9z.js
-
Size
1.3MB
-
Sample
200602-hx1zqnqct2
-
MD5
0f53b4c5086c57cff699d45ec60e9be7
-
SHA1
d6828f80ad6dc995dce8fdb4f91684c26fdc8b2f
-
SHA256
d3a8808346fa4ddc5a7bbb3d0aac059caa2a96c99f574c6311cddb6ee973fae4
-
SHA512
9b649176461bb598ff4988f5ad4ea534ef8f9e41707c5d1a3d99eabf768ddec37a22a7b5c52db729cae6bab603f1d95703c8563d3fa215ab5b40e7843e29ad53
Malware Config
Extracted
gozi_ifsb
3300
app.allage.at/api1
g8.farihon.at/api1
g4xp7aanksu6qgci.onion/api1
api3.lepini.at/api1
l35sr5h5jl7xrh2q.onion/api1
chat.allage.at/api1
6buzj3jmnvrak4lh.onion/api1
chat.pinole.at/api1
far.gaploop.at/api1
ram.unici.at/api1
cd2.gaploop.at/api1
-
build
250143
-
dga_base_url
constitution.org/usdeclar.txt
-
dga_crc
0x4eb7d2ca
-
dga_season
10
-
dga_tlds
com
ru
org
-
exe_type
worker
-
server_id
730
Targets
-
-
Target
my_attach_p9z.js
-
Size
1.3MB
-
MD5
0f53b4c5086c57cff699d45ec60e9be7
-
SHA1
d6828f80ad6dc995dce8fdb4f91684c26fdc8b2f
-
SHA256
d3a8808346fa4ddc5a7bbb3d0aac059caa2a96c99f574c6311cddb6ee973fae4
-
SHA512
9b649176461bb598ff4988f5ad4ea534ef8f9e41707c5d1a3d99eabf768ddec37a22a7b5c52db729cae6bab603f1d95703c8563d3fa215ab5b40e7843e29ad53
Score10/10-
Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
-
Loads dropped DLL
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-